How to protect the source code?

140

I'm thinking of making an application to sell, I'd like to know how to protect my source code to keep my software safe.

I have seen that the Java bytecodes, stored in the .class file are easily converted back to .java using the Java Decompiler tool. a>

.class can be easily found within .jar for desktop, or even .apk , as shown in this post .

How do millions of apps on Google Play protect your source code? Because leaving them exposed seems a little insecure, does not it? If yes (if it is insecure), how can I develop applications that keep hidden source code in Java for desktop and Android?

EDITION

The response from @mgibsonbr convinced me not to be paranoid and want to protect all the source code, however there are some points of the application that can not be revealed due to data security reasons, for example:

try {
    String url = "jdbc:mysql://mysql01.meudominio.com/bd";
    Class.forName("com.mysql.jdbc.Driver");
    conn = DriverManager.getConnection(url,"usuario","senha");
    System.out.println("Remote database connection established");
}

Imagine the damage if someone has your database address, user, and password.

In the comments @mgibsonbr tried to answer this my doubt, but I did not understand, or maybe I did not leave the doubt clear, anyway.

On the obfuscator, through testing I could see that it works. However I have doubts if it is really the solution I am looking for or if the solution is to actually reshape my software in a way that does not save in the source code any kind of information that requires secrecy such as user, passwords and DB addresses.

If the solution is to reshape the software, please explain to me how to keep a file external to the source code in a way that it is not possible for the hacker to copy the part of my source code that reads of this external file, then having the code that can read the file, in the same way that my software does.

    
asked by anonymous 25.02.2014 / 16:07

7 answers

144

It is not possible, nor necessary, to take extreme measures to protect the source code. Focus your energies on what adds value to your business, rather than wasting it "treating customers as thieves and thieves as customers."

Is it possible to protect the source code?

You can not disable others from reverse engineering your program, at most you can make difficult . Code obfuscators are a good option if it is simple enough to deploy it next to your product. But that will not stop a dedicated attacker from figuring out how his software works or, more simply, simply copying his binary code himself.

Remember that:

  • In the same way that you can obscure your code, the attacker can dazzle you again and / or employ other techniques to make it appear that the copied code is different from yours. How to prove that it's the same code later? (in the case of a lawsuit, for example)

  • You may need to perform diagnostic actions on your program, debug parts with problems, etc. This becomes much more complicated if your code is overshadowed, increasing its cost in servicing customers. If the obfuscator itself does not introduce a bug, which would make the "de-fused" version work, but not the obfuscated one.

It is necessary to protect against ...

Piracy?

Whoever wants to copy your system will copy it anyway, regardless of "understand how it works" or not. Crack tools generally act on the binary itself, so there is no interest on the part of the attackers in the sources.

Competitors?

If the hardest part of marketing a product was to build it, then maybe that would be justified (in the case of mobile apps, it's not far from that, but I do not have enough experience to comment). But there is much more involved: marketing, support, continually improving the product from customer feedback, etc. It's already a pretty big job, and that's without having to worry about being sued at any time for copyright violations. A serious competitor will not copy your code, even if you rub it in his face.

As for "figuring out what your code does," I ask: is this really relevant? Are there trade secrets in it, or technologies not yet released to the general public, things that only you and your company know? If the answer is yes, then go ahead and protect. Otherwise, do not worry too much about it, probably your competitors already know everything they need to know about your system, what prevents them from copying it right now is the opportunity cost (ie you have arrived first, and have already won certain clientele, who comes later will have to make extra effort to steal it from you).

Hackers?

If your system uses " security for obscurantism ," then stop and review your design. Ideally, systems should be kept safe even if all the details about the algorithm are public, only the "key" (or equivalent) is secret. If you can not avoid this, making it harder to read the fonts will stop casual attackers (script kiddies) but not the more dedicated ones, so take that into account when weighing the risks.

Clients as thieves and thieves as clients

If your app is in an "App Store", 95% of people will simply buy it, do not try to steal it from you (lie, 20% will buy and 75% will not use your application). And the other 5% are not going to just say "oh, it's harder to copy, I think there's only one left for me to buy ..." - they will either give up once or go a little harder (remember that 1 person crack and distribute to all others). In one way or another they are not your customers , you will not get any money from them, so what difference does it make if they copied your application or not?

On the other hand, attempting to apply DRM (or any other anti-piracy measure) to a system can make it slower, buggy, complicated to install / use / debug, etc. This harms your customers indeed, those who have paid for your product and expect a quality experience.

In conclusion, take simple steps to protect your program when you can, but do not worry too much about it. Do not depend on the secrets of sources for safety. And focus on creating a better product than the competition, instead of being concerned about the competition copying your product as it is now (and not how it will be in 6 months, for example).

    
25.02.2014 / 17:17
38

I think the point is not to protect the source code itself, as many have already said.

However, I want to highlight this issue of protecting sensitive data. Robust applications and systems should not use such mechanisms, that is, encrypt login and password data.

Firstly because application access would be best done via a web service, eg a Rest API.

The best applicable concept would be to authenticate the user to this API using a register that he must do before accessing the system, for example, using the email and a password or key that he receives when he registers.

The application is then configured with the user account and sends the email and key to each request that it makes to the server, which then checks to see if the server has access to the requested function, performs the necessary action and returns the data for the application, for example via Json, HTML, or XML.

Thinking about another scenario, for example, where you make an application for restaurant orders. Each application connects directly to the restaurant bench. In this case, the access data could be set via configuration rather than fixed in the code.

Not only in mobile applications, but on any system, I would consider it a bad practice to leave hard-coded access data in the code.

    
05.05.2014 / 19:56
14

There is a native tool on the Android called proguard. Very simple to use, it does the same process of obfuscating java code from other tools.

Basically you enable by adding the project.properties line:

proguard.config=proguard.cfg

Once you generate an .APK by right clicking on the project, going to Android Tools and then Export Signed Application Package, the code will be obfuscated. The same goes for the Export Unsigned Application Package option.

You can use a proguard.cfg template that is located in the tools / proguard / . SDK installation directory in this folder there are two files proguard-android.txt and proguard-android-optimize.txt

Source and more information at link

    
25.02.2014 / 16:34
12

Solution for source code protection

The only alternative I found to this is known as Ofuscamento of .JAR , with it you will difficulty reverse engineering in your application below some links that explain about the subject with great details.

Links related to Obfuscation:

  • Related Doubt
  • Protecting Your Code
  • Java - Tooth
  • Download PDF About Obfuscation
  • Obfuscate code
  • Obfuscation Program

    I use proGuard to do this ofuscamento making reverse engineering difficult on .JAR

    Links to ProGuard

    Note: The links are for the understanding of the subject.

        
    25.02.2014 / 16:26
    10

    After reading the various answers, I want to say that I agree with most, but having debated not for a long time with the same problem I would like to put some points that I think it is important to mention.

  • Java code is totally dependent on the JVM binaries, so to be able to run and take advantage of all its features, it will always depend on the JVM, depending on someone or something. It is no coincidence that multinationals invest millions in programming languages and platforms.

  • The motivation to violate a source code of any software is dependent on the value the market places on the solution and its cost of use license, ie, more success more investment by those who protect, attacks "

  • To protect a proprietary solution several may be solutions but clearly not by code.

  • Today a software solution is much more than a product ... The trend is increasingly to be a product with services or set of services.

    In my opinion a licensing system is essential because today a software is much more than its source code, it is also a specific market ... and because everything costs money even what is tassel has a cost, it is important know the market that our final software product achieves, and then make decisions.

    In many systems it is also important to deliver some level of data security and control, and a licensing system helps a lot.

    Having a licensing system does not mean having the code inviolable, it puts only a control over who uses it when and how ... The technological solutions are there ... be it cryptography, webservices that put the secret of the business on the side of servers, etc.

    Of course, we should make life more difficult for anyone who tries to violate the source code and for that, use the one that best fits your solution.

    A user is always a potential customer and with that in mind, the sky is the limit.

        
    07.09.2014 / 01:47
    8

    Well, I downloaded apk and I already applied reverse engineering on the others program to see how they were done. In my case as a programmer of Games wanted to get some ideas, but I never got a source code in full, just saw what was good and optimized my own code. I found lots of Class that came in the java itself and did not know it, putting it in my project and streamlining the service. The most they will do is take ideas of the good part of your code, only you remove the comments already jams a lot, because the comments can be recovered, since the variables do not, they have seen as var1, var2, var3 ... Dai tem that I deduced what was done there.

        
    27.03.2015 / 13:22
    3

    The best way for you to protect your source code is not to make it available to the user. Host the source code on the server and provide access to the resources only to authenticated users, a webservice . p>

    It is possible to make an application with the Java Enterprise Edition (JEE) platform in the backend, which has several technologies:

    • Servlets - These are Java components running on the server that are intended to generate dynamic (HTML and XML) content for the web.

    • Java Server Pages (JSP) - Servlet expertise that enables Java applications to be more robust and have ease of development.

    • Java Server Faces (JSF) - A Java-based MVC (Model, View and Controller) web framework that helps simplify the development of interfaces (system screens) through a UI model.

    • Java Persistence API (JPA) - This is a Java standard API that uses the relational object mapping concept and is used for data persistence. This tool brings a lot of productivity as it can develop applications that work with databases without writing any SQL lines.

    • Enterprise Java Beans (EJB) - These are components that run in an application container and provide ease and productivity in the development of distributed, transacted, secure and portable components.
    • JDBC (Java Database Connectivity), used in accessing and connecting to the database.

    Sources:

    link

    link

        
    05.04.2018 / 01:08